Total
3925 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-56335 | 1 Dani-garcia | 1 Vaultwarden | 2025-08-19 | N/A | 7.6 HIGH |
| vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. In affected versions an attacker is capable of updating or deleting groups from an organization given a few conditions: 1. The attacker has a user account in the server. 2. The attacker's account has admin or owner permissions in an unrelated organization. 3. The attacker knows the target organization's UUID and the target group's UUID. Note that this vulnerability is related to group functionality and as such is only applicable for servers who have enabled the `ORG_GROUPS_ENABLED` setting, which is disabled by default. This attack can lead to different situations: 1. Denial of service, the attacker can limit users from accessing the organization's data by removing their membership from the group. 2. Privilege escalation, if the attacker is part of the victim organization, they can escalate their own privileges by joining a group they wouldn't normally have access to. For attackers that aren't part of the organization, this shouldn't lead to any possible plain-text data exfiltration as all the data is encrypted client side. This vulnerability is patched in Vaultwarden `1.32.7`, and users are recommended to update as soon as possible. If it's not possible to update to `1.32.7`, some possible workarounds are: 1. Disabling `ORG_GROUPS_ENABLED`, which would disable groups functionality on the server. 2. Disabling `SIGNUPS_ALLOWED`, which would not allow an attacker to create new accounts on the server. | |||||
| CVE-2025-2771 | 1 Bectechnologies | 1 Router Firmware | 2025-08-18 | N/A | 5.3 MEDIUM |
| BEC Technologies Multiple Routers Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of BEC Technologies routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the web-based user interface. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-25894. | |||||
| CVE-2025-3910 | 1 Redhat | 1 Build Of Keycloak | 2025-08-18 | N/A | 5.4 MEDIUM |
| A flaw was found in Keycloak. The org.keycloak.authorization package may be vulnerable to circumventing required actions, allowing users to circumvent requirements such as setting up two-factor authentication. | |||||
| CVE-2025-53793 | 1 Microsoft | 1 Azure Stack Hub | 2025-08-18 | N/A | 7.5 HIGH |
| Improper authentication in Azure Stack allows an unauthorized attacker to disclose information over a network. | |||||
| CVE-2025-54786 | 1 Salesagility | 1 Suitecrm | 2025-08-14 | N/A | 5.3 MEDIUM |
| SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 7.14.6 and 8.8.0, the broken authentication in the legacy iCal service allows unauthenticated access to meeting data. An unauthenticated actor can view any user's meeting (calendar event) data given their username, related functionality allows user enumeration. This is fixed in versions 7.14.7 and 8.8.1. | |||||
| CVE-2025-53771 | 1 Microsoft | 1 Sharepoint Server | 2025-08-14 | N/A | 6.5 MEDIUM |
| Improper authentication in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network. | |||||
| CVE-2025-55171 | 1 Wegia | 1 Wegia | 2025-08-14 | N/A | 7.5 HIGH |
| WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. Prior to version 3.4.8, the application does not check authentication at endpoint /html/personalizacao_remover.php allowing anonymous attacker (without login) to delete any Image files at endpoint /html/personalizacao_remover.php by defining imagem_0 as image id to delete. This issue has been patched in version 3.4.8. | |||||
| CVE-2025-55169 | 1 Wegia | 1 Wegia | 2025-08-14 | N/A | 6.5 MEDIUM |
| WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. Prior to version 3.4.8, a path traversal vulnerability was discovered in the WeGIA application, html/socio/sistema/download_remessa.php endpoint. This vulnerability could allow an attacker to gain unauthorized access to local files in the server and sensitive information stored in config.php. config.php contains information that could allow direct access to the database. This issue has been patched in version 3.4.8. | |||||
| CVE-2025-53169 | 1 Huawei | 1 Harmonyos | 2025-08-12 | N/A | 7.6 HIGH |
| Vulnerability of bypassing the process to start SA and use related functions on distributed cameras Impact: Successful exploitation of this vulnerability may allow the peer device to use the camera without user awareness. | |||||
| CVE-2025-5495 | 1 Netgear | 2 Wnr614, Wnr614 Firmware | 2025-08-11 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability was found in Netgear WNR614 1.1.0.28_1.0.1WW. It has been classified as critical. This affects an unknown part of the component URL Handler. The manipulation with the input %00currentsetting.htm leads to improper authentication. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This issue appears to have been circulating as an 0day since 2024. | |||||
| CVE-2025-54888 | 2025-08-11 | N/A | N/A | ||
| Fedify is a TypeScript library for building federated server apps powered by ActivityPub. In versions below 1.3.20, 1.4.0-dev.585 through 1.4.12, 1.5.0-dev.636 through 1.5.4, 1.6.0-dev.754 through 1.6.7, 1.7.0-pr.251.885 through 1.7.8 and 1.8.0-dev.909 through 1.8.4, an authentication bypass vulnerability allows any unauthenticated attacker to impersonate any ActivityPub actor by sending forged activities signed with their own keys. Activities are processed before verifying the signing key belongs to the claimed actor, enabling complete actor impersonation across all Fedify instances. This is fixed in versions 1.3.20, 1.4.13, 1.5.5, 1.6.8, 1.7.9 and 1.8.5. | |||||
| CVE-2025-49591 | 1 Xwiki | 1 Cryptpad | 2025-08-11 | N/A | 9.1 CRITICAL |
| CryptPad is a collaboration suite. Prior to version 2025.3.0, enforcement of Two-Factor Authentication (2FA) in CryptPad can be trivially bypassed, due to weak implementation of access controls. An attacker that compromises a user's credentials can gain access to the victim's account, even if the victim has 2FA set up. This is due to 2FA not being enforced if the path parameter is not 44 characters long, which can be bypassed by simply URL encoding a single character in the path. This issue has been patched in version 2025.3.0. | |||||
| CVE-2023-24852 | 1 Qualcomm | 542 315 5g Iot Modem, 315 5g Iot Modem Firmware, 9205 Lte Modem and 539 more | 2025-08-11 | N/A | 8.4 HIGH |
| Memory Corruption in Core due to secure memory access by user while loading modem image. | |||||
| CVE-2023-43551 | 1 Qualcomm | 482 205 Mobile, 205 Mobile Firmware, 215 Mobile and 479 more | 2025-08-11 | N/A | 9.1 CRITICAL |
| Cryptographic issue while performing attach with a LTE network, a rogue base station can skip the authentication phase and immediately send the Security Mode Command. | |||||
| CVE-2024-38426 | 1 Qualcomm | 328 205, 205 Firmware, 215 and 325 more | 2025-08-11 | N/A | 5.4 MEDIUM |
| While processing the authentication message in UE, improper authentication may lead to information disclosure. | |||||
| CVE-2025-21450 | 1 Qualcomm | 216 Ar8035, Ar8035 Firmware, Fastconnect 6200 and 213 more | 2025-08-11 | N/A | 9.1 CRITICAL |
| Cryptographic issue occurs due to use of insecure connection method while downloading. | |||||
| CVE-2023-33070 | 1 Qualcomm | 204 Apq5053-aa, Apq5053-aa Firmware, Aqt1000 and 201 more | 2025-08-11 | N/A | 7.1 HIGH |
| Transient DOS in Automotive OS due to improper authentication to the secure IO calls. | |||||
| CVE-2023-33054 | 1 Qualcomm | 336 315 5g Iot Modem, 315 5g Iot Modem Firmware, 8098 and 333 more | 2025-08-11 | N/A | 9.1 CRITICAL |
| Cryptographic issue in GPS HLOS Driver while downloading Qualcomm GNSS assistance data. | |||||
| CVE-2024-6248 | 1 Wyze | 2 Cam V3, Cam V3 Firmware | 2025-08-08 | N/A | 7.5 HIGH |
| Wyze Cam v3 Cloud Infrastructure Improper Authentication Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Wyze Cam v3 IP cameras. Authentication is not required to exploit this vulnerability. The specific flaw exists within the run_action_batch endpoint of the cloud infrastructure. The issue results from the use of the device's MAC address as a sole credential for authentication. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-22393. | |||||
| CVE-2024-1039 | 1 Gesslergmbh | 2 Web-master, Web-master Firmware | 2025-08-07 | N/A | 9.8 CRITICAL |
| Gessler GmbH WEB-MASTER has a restoration account that uses weak hard coded credentials and if exploited could allow an attacker control over the web management of the device. | |||||